1. Field of the Invention
The present invention relates to network technology. More particularly, the present invention relates to methods and apparatus for implementing an access list key in IPv6.
2. Description of the Related Art
Routers typically maintain an access control list in order to perform policy based routing. Each entry in the access control list defines an access rule defining a particular type of traffic and whether that traffic will be permitted or denied. The access rule that applies to a data packet received or transmitted by a router may be ascertained from information in one or more headers of the data packet.
An exemplary data packet is illustrated in FIG. 1. As shown, the data packet 100 typically comprises multiple headers, including an IP header 102, a layer 4 header 104 (e.g., TCP), and an application header 106 (e.g., HTTP). From each of these headers, information may be obtained that enable a router to route the data packet according to various policies.
When a packet is received or transmitted by a router, the information is extracted from one or more of the packet headers and used to check the access control list (ACL). FIG. 2 is a diagram illustrating an exemplary access control list 200. As shown, a typical access control entry includes an IP source field 202, identifying one or more source IP addresses, an IP destination field 204, identifying one or more destination IP addresses, a protocol type field 206, identifying one or more layer 4 protocols, and a permit/deny field 208, indicating whether traffic is permitted or denied if it matches the access rule defined by that entry. In addition, when the layer 4 protocol uses ports to identify applications, such as TCP, UDP, or SCTP, a source port field 210 and destination port field 212 may be specified that defines one or more source and destination ports, respectively. Conceptually, the information extracted from a packet is used to sequentially check each access control entry, and when a match is found, the action specified by that entry (permit or deny) is applied to the packet. For instance, as shown, traffic sent from any IP address to a mail server using the TCP protocol from any source port to the mail port will match the first entry and will be allowed. Traffic sent from the mail server to any IP address using the TCP protocol from the mail port to any port will match the second entry and will be allowed. Any other kind of traffic will match the third entry and will be denied. In this manner, access rules are defined and used for filtering packets.
The classification capabilities of ACLs are used not only for policy reasons, but also to implement traffic prioritization, in order to give to each kind of traffic the appropriate Quality of Service (QoS) that it deserves. The process is the same as that depicted above, but each access control entry is associated with a priority value instead of with a Permit/Deny rule. For this case an additional field is usually added to the access control entry, the Differentiated Service Code Point (DSCP) field present in the IP header.
In IPv4, each source and destination IP address field of an IP data packet comprises 32 bits. However, with the advent of the Internet and the need for connecting many more computers via the Internet, a new version (called IPv6, defined in RFC 2460) of the IP protocol has been defined, in which the length of the source and destination IP address fields of an IP data packet have each been increased four-fold to 128 bits. In addition, IPv6 provides for modular headers. FIG. 3 illustrates an exemplary IPv6 header. As shown, a next header field 302 points to the next header.
FIG. 4 illustrates the use of modular IPv6 “extension” headers. In each example, an IPv6 header is the initial header. In each header, a next header field points to the next header. Thus, a header may be an initial header (e.g., IPv6 header), intermediate header, or terminating (e.g., layer 4) header.
Processing done by a router is often performed in hardware, since the hardware can be faster than the software. As one example, an access control list is sometimes implemented in Ternary Content Addressable Memory (TCAM). An exemplary TCAM is illustrated in FIG. 5. A TCAM 500 comprises a plurality of entries 502. Each entry 502 comprises a key 504 corresponding to an address or pointer 506 to another conventional memory that specifies the manner in which a packet is to be handled. For instance, in this example, the conventional memory is an entry 508 in a policy table 510 that specifies if the packet is to be forwarded or dropped.
An access list key used in a memory such as a TCAM is typically generated using information from the IP header as well as information from additional header(s) (e.g., layer 4 header). As one example, the key may be composed of the source IP address, destination IP address, protocol type, source port, and destination port. Finding the information required to compose a key has become more complicated in IPv6, due to the modularization of headers. Moreover, the size of the key is constrained by the size of the TCAM.
Currently, the maximum size of an entry in a conventional TCAM is 288 bits wide. The maximum size of a TCAM has not previously been a limiting factor using IPv4, but the size of the source IP and destination IP address fields have dramatically increased with IPv6. Thus, with 128 bits for the source and destination IP address fields, 8 bits for the protocol type, and 16 bits for the source port and destination port fields, a key in IPv6 can require 296 bits. Accordingly, a key in IPv6 for an access list is larger than the maximum size of an entry in a TCAM. The problem is even worse if we consider the use of the ACL for QoS reasons, since to add the DSCP field to the key would require adding at least 6 other bits.
Various types of addressing schemes are currently possible to identify source and destination IP addresses in IPv6, according to the IPv6 addressing architecture document, RFC 2373. For instance, multicast as well as unicast addresses are used. Unicast addresses may be classified as one of three types. The first type of unicast address is the global scoped address, which is unique across the entire network. The second type of unicast address is a local scoped address and unique on a single link, typically referred to as a “link local” address. The third type of address is also a local scoped address, but is unique on a single site, and is therefore referred to as a “site local” address. A site is a connected subset of a network. While a global scoped address is globally unique, additional bits are required to identify the zone in which a particular local scoped address applies. This local scoped addressing therefore requires a greater number of bits be used in an access list key.
Various solutions have been proposed in order to implement in hardware an IPv6 access control list. For instance, solutions have been implemented in which a larger key look-up is implemented through two related look-ups using smaller keys. Thus, two or more different table look-ups are performed. As one example, an access list key is first used to access an entry in a TCAM. The entry in the TCAM is then used to look up information in a second TCAM, and finally to a memory or table to determine whether a packet should be forwarded or dropped. However, the use of two different look-ups is inefficient due to the additional processing required, and not all hardware platforms can afford them.
In view of the above, it would be desirable if a key for an access control list could be implemented in IPv6 that would enable a single look-up to be performed.